Skip to content

Commit

Permalink
Removed dodgy work-around for resumed TLS sessions given that JDK-821…
Browse files Browse the repository at this point in the history 
…2885 fix has been ported to Java 11 and released in Oracle JDK 11.0.3
  • Loading branch information
@ok2c
ok2c committed Feb 15, 2020
1 parent d601aff commit 934a6d5
Showing 1 changed file with 1 addition and 26 deletions.
27 changes: 1 addition & 26 deletions httpclient5/src/main/java/org/apache/hc/client5/http/ssl/TlsSessionValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,6 @@
import javax.net.ssl.SSLSession;
import javax.security.auth.x500.X500Principal;

import org.apache.hc.core5.http.ParseException;
import org.apache.hc.core5.http.ProtocolVersion;
import org.apache.hc.core5.http.ssl.TLS;
import org.slf4j.Logger;

final class TlsSessionValidator {
Expand Down Expand Up @@ -100,29 +97,7 @@ void verifySession(
}

if (hostnameVerifier != null) {
final Certificate[] certs;
try {
certs = sslsession.getPeerCertificates();
} catch (final SSLPeerUnverifiedException ex) {

// FIXME: This is very dodgy.
// If peer certificates are unavailable and the TLS version is 1.3 or greater
// _assume_ this is due to PSK (pre-shared key) TLS session resumption
// Resumed TLS sessions do not include server certificates.

// The issue is considered a bug in Java Security libraries and
// is being tracked as JDK-8212885

try {
final ProtocolVersion tls = TLS.parse(sslsession.getProtocol());
if (tls.greaterEquals(TLS.V_1_3.version)) {
return;
}
throw ex;
} catch (final ParseException ex2) {
throw ex;
}
}
final Certificate[] certs = sslsession.getPeerCertificates();
if (certs.length < 1) {
throw new SSLPeerUnverifiedException("Peer certificate chain is empty");
}
Expand Down

0 comments on commit 934a6d5

Please sign in to comment.